FTC Releases Report and Practical Advice on the Internet of Things

On January 27, 2015, the Federal Trade Commission (FTC) released a staff report entitled “Internet of Things: Privacy & Security in a Connected World.” This report suggests steps businesses can take to protect consumers’ privacy and security as they use objects that connect and send data to the Internet.

InternetOfThings-01The FTC Staff Report defines the Internet of Things (IoT) as “the ability of everyday objects to connect to the Internet and to send and receive data.” Examples of such objects are bracelets that track fitness activities and share the data with friends, cameras that post pictures online, RFID tags to monitor inventory, and home automation systems to monitor lights, temperature and security and report to homeowners when they are away. In health care, such objects include medical devices that monitor vital signs and other patient data, such as insulin pumps and blood pressure cuffs, and then share this data with physicians and caregivers. Basically, the IoT is “essentially any other Internet-connected device that isn’t a mobile phone, tablet, or traditional computer.”

The number of “things” connected to the Internet is greater than the number of people, and, as of this year, there will be 25 billion devices connected to the Internet. But this increased connectivity comes with increased privacy and security risks. First, financial and personal data stored on these devices can be stolen. Second, when the objects are connected to a network, security vulnerabilities in the objects may leave those networks open for denial of service and other attacks. Third, these security risks can create risks to physical safety and lives. Examples of these physical risks include remote hacks into insulin pumps or cars to change safety settings.

The report also summarizes discussions from a workshop entitled “The Internet of Things: Privacy and Security in a Connected World,” which the FTC hosted on November 19, 2013, regarding the application of Fair Information Practice Principles (FIPPs) of notice, choice, access, accuracy, data minimization (the “concept that companies should limit the data they collect and retain, and dispose of it once they no longer need it”), security, and accountability to the IoT, and specifically, whether data minimization, notice, and choice sufficiently protect consumer privacy in the IoT. The FTC also weighs in with its views on the subjects of data security, data minimization, and notice and choice.

The FTC recommends that businesses implement some or all of these best practices related to the IoT:

  • “[C]ompanies should implement ‘security by design’ by building security into their devices at the outset, rather than as an afterthought.”
  • “[C]ompanies must ensure that their personnel practices promote good security. As part of their personnel practices, companies should ensure that product security is addressed at the appropriate level of responsibility within the organization.”
  • “[C]ompanies should examine their data practices and business needs and develop policies and practices that impose reasonable limits on the collection and retention of consumer data.”
  • “To the extent that companies decide they need to collect and maintain data to satisfy a business purpose, they should also consider whether they can do so while maintaining data in deidentified form.”
  • Workshop participants discussed the following options for consumers to express their privacy and security choices: (1) choices at point of sale; (2) tutorials; (3) codes on the devices; and (4) choices during set-up. The privacy choices a business offers “should be clear and prominent, and not buried within lengthy documents.”

The FTC also released a new publication, “Careful Connections: Building Security in the Internet of Things,” containing practical advice for businesses developing the next generation of connected devices.

Businesses involved with the IoT should review both of these publications and consider whether to implement any, or all, of these recommendations.

Leave a reply. Please note that although this blog may be helpful in informing clients and others who have an interest in information privacy and security, it is not intended to be legal advice. The information on this blog also should not be relied upon to form an attorney-client relationship.

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.